Application Note
Setting up an iCAP Server for
ISG-1000/2000 AV Support
Version 1.1
Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408 745 2000 or 888 JUNIPER
Contents...2
Introduction ...3
Prerequisites...3
Installation of the External AV Scanner ...3
Administering Scan Engine 5.0 ...4
Installing the License ...4
How External Scanning Works ...5
Configuring the ISG-1000/2000 for External AV Scanning...6
Introduction
Beginning with ScreenOS 5.4.0, the ISG-1000 and ISG-2000 now support anti-virus using Symantec iCAP server solution. This document describes requirements to run AV on an ISG-1000 and/or ISG-2000.
Prerequisites
Requirements on the firewall are as follows: • ISG-1000 or ISG-2000
• ScreenOS 5.4.0r1 or higher
The external scanner must be installed on a server that runs on any of the following operating systems:
• Windows 2000 server (with Service Pack 3) • Windows 2003 server
• Solaris 8/9 • Red Hat Linux 9.0
• Red hat Enterprise Linux 3.0 • Red Hat Linux Advanced Server 2.1 • SuSE Linux Enterprise Server 8.
All servers require a direct connection to the Internet, with Sun Java 2 run-time environment (version 1.4.2_06 or later within the version 1.4.2 platform) installed.
Additional requirement of IE 6.0 SP1 or later to run the admin tool via the web browser.
Installation of the External AV Scanner
External AV scanner is supported with Symantec Scan Engine 5.0. This engine uses iCAP v1.0 and is fully compliant with RFC 3507. Customer will need to purchase Symantec Scan Engine 5.0 server software from their VAR or Reseller.
You can administer the Scan Engine server from your desktop, using IE 6.0 SP1 or higher. However, make sure you have Java 2 enabled on your PC.
Access the administration tool is via http to port 8004. For example, if your Scan Engine 5.0 server is at 172.19.50.138, then you can access the admin tool at http://172.19.50.138:8004
Installing the License
1. Before you can begin, you will need to install your license on your Scan Engine 5.0 server. From the administration screen, click the System icon.
2. Click Install License. Browse to the location where your license key file is, and click Install.
At this point, the server is now set up for antivirus updates.
Configuring the ISG-1000/2000 for External AV Scanning
In setting up the ISG-1000/2000 for External AV scanning, the server must be able to access the Internet directly (without going through any proxied connections). The server must be able to communicate on TCP port 1344.
The steps for configuration are as follows: 1. Create a server object
2. Create an AV Profile, and bind the server object to the AV profile
3. Create your policies, and bind the AV profile to any policies where AV scanning is required
To walk through this procedure, we will assume the Symantec Scan Engine 5.0 server is accessible at IP address 172.19.50.138. We will create an iCAP AV server name JTAC_ICAP, and an AV Profile ICAP_AV.
(Note: Configuration recommends using object names without spaces for compatibility)
WebUI Configuration
We will create the AV server name JTAC_ICAP, at 172.19.50.138 as shown in the illustration below:
2. Click Ok.
3. Next, create the AV Profile. Go to Screening > Antivirus > Profile. Click new. 4. Enter the profile name ICAP_AV
5. Click Ok.
You will see a list of profiles created.
6. Next to ICAP_AV, click Edit
CLI Configuration
1. First, create the server object. The CLI command for this is: set icap server JTAC_ICAP host 172.19.50.138 2. Create the AV Profile, and bind JTAC_ICAP to this profile
nsisg2000-> set av profile ICAP_AV nsisg2000(av:ICAP_AV)->
set icap JTAC_ICAP
nsisg2000(av:ICAP_AV)-> exit nsisg2000->
3. Create the policy, and bind the AV profile to the policy
nsisg2000-> set policy from trust to untrust any any http permit
policy id = 1
nsisg2000-> set policy id 1
nsisg2000(policy:1)-> set av ICAP_AV nsisg2000(policy:1)-> exit
nsisg2000->
